What is Risk Management in Cyber Security?
How to Identify Risk
When it comes to security in any form, it is important to understand what you are trying to protect, and what you are protecting it from. In cyber security, we refer to what you are trying to protect as your assets. These can be physical assets, such as computers, laptops, and other technology-based devices, or these can be logical assets, also referred to as information assets. Logical assets are the important things you have stored in cyber-space, such as essential files, personal and company data, and even your computer’s software.
What you are trying to protect your assets from are Threats, which is the name given to the thing that is responsible for causing harm. We use the word Risk to refer to the possibility of something bad happening, such as the likelihood of a threat. Another common term used in cyber security is Vulnerability, which is a weakness that increases the likeliness of, or impact of, a risk. Risk assessments consider the threats faced by your company, and the vulnerabilities (weaknesses) that you have, and determine what the risk of each event occurring is, and what affect this will have on your organisation if the event does occur.
Once you have identified what you are trying to protect, you can the assign a value to each of your assets – how important is each item to the functioning or your organisation? Or perhaps the asset is important in maintaining your company’s reputation with customers. If the asset is very sensitive data, or a very expensive item, then you will want to protect it with a greater level of security than an asset which you consider to have less value. A risk to a low value asset is likely to be more acceptable to your organisation than a risk to a high value asset. The amount of risk that you are willing to take on is called your Risk-Appetite, and will be different for each asset, as you will be able to tolerate more risk for lower valued items. A risk-based approach to cyber security is a balanced approach that takes the risks and assets of an organisation into consideration and designs a solution to managing risk based on asset value.
Risk management helps you to understand the risk appetite of your company, establish priorities in which risks need to be dealt with first, and respond to the risks that have been identified. Risks change over time, and can be affected by changes in the environment, so risk assessments, and risk management strategies, need to be regularly reviewed and updated to make sure they reflect the current risk environment of the organisation. Although your cyber security team can help make recommendations on how risk is managed, it is up to senior management to actually make the decisions on how an organisation deals with risk. Because of this, it is important for everyone to understand the 4 ways in which security risks can be dealt with.
The 4 Responses to Risk
Share (Transfer)
The responsibility of dealing with a risk can be shared by the business with a third party. This allows the business to handle larger risks than their risk appetite would normally allow, as the full effect of the risk occurring is never actually felt by the business due to the sharing of the risk, so less damage is done by the event. An example of how this works is a company insuring some physical assets, such as computers. If you own a large portfolio of expensive devices for use within your business, there is a risk that these assets may be stolen, or damaged in a disaster such as fire or flood. Taking out an insurance policy on these devices shares the risk of theft or damage with the insurance company, so now if either event does occur, the business is no longer responsible for the full cost of the loss or damages - it is shared with the insurance provider.
Reduce (Mitigate)
Reducing the impact of a risk occurring is the most common approach used in risk management. The reduction of cyber security risks is also sometimes referred to as mitigation of the risk. The aim of this approach is to bring the impact of the risk on the business down to within the risk appetite of the business. One way this strategy is used to manage risk in cyber security is through the use of firewalls. Your company may need to access the internet, and may have employees that work from home, and need to access the internal work network remotely. The risk of the business’s computer network being open to the internet for anyone to connect to is high and would allow for too many potential threats such as data being stolen by hackers to be a suitable solution. Instead, the risk of exposure to the internet can be mitigated through using a firewall, which manages the traffic and prevents unauthorised users from access the company network and files.
Avoid
If allowing a certain activity to occur seems like too high of a risk to allow, then the risk can be avoided by simply not performing that activity. You may have encountered this approach to risk through risk assessments in non-cyber-security related fields before, as this is often a suitable option when dealing with dangerous activities that could cause injury to staff. An example of how you can avoid cyber security risks is to disconnect your company’s internal computer network from the internet, leaving the only connections available between the computers within the office building. This allows your staff to continue to work with one another and on their devices, however without internet access there is no way for cyber criminals to hack into your system and steal or encrypt your files through ransomware, or to trick your employees to providing their login details in email-based phishing attacks. The risk of these cyber-attacks have been avoided by not allowing the internet connection to exist.
Accept
If a risk is considered to have very little effect on your business, or affects an asset that you consider to have a very low value, then you might choose to accept this risk. In cyber security terms we say that the risk appetite of your business is sufficient to cover, or accept, this risk. This response to risk means that nothing is done in order to remove the likelihood of a particular threat occurring. It is important to understand that ignoring a risk is not the same as accepting it. Ignoring a risk pretends that it doesn’t exist, and the outcomes of the threat are not considered. However, accepting a risk chooses to allow a threat to occur, because the outcomes have been considered and a decision is made that the effect on the business is minimal and manageable.
A great way to manage risk in cyber security is to follow an existing framework, that will guide you through the steps needed to identify, assess, and mitigate the risks to your business. Some popular and well-regarded frameworks include Cyber Essentials, and ISO 27001. Cool Waters helps businesses like yours to pick and implement a cyber security framework that is appropriate for their budget, company size, and risk appetite.
Arrange a free initial consultation to discover how Cool Waters can help improve the Cyber Security of your business.